Professional Documents
Culture Documents
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious
activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by
adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think
should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still
generate syslog messages, but because you are only targeting blacklist syslog messages, they are
informational.
Note If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can
use the static blacklist alone if you can identify all the malware sites that you want to target.
Database Files
The database files are downloaded from the Cisco update server, and then stored in running memory;
they are not stored in flash memory. Be sure to identify a DNS server for the ASA so that it can access
the Cisco update server URL. In multiple context mode, the system downloads the database for all
contexts using the admin context interface; be sure to identify a DNS server in the admin context.
If you need to delete the database, use:
• CLI—the dynamic-filter database purge command.
• ASDM—the Configuration > Firewall > Botnet Traffic Filter > Botnet Database pane Purge
Botnet Database button.
Be sure to first disable use of the database by:
• CLI—entering the no dynamic-filter use-database command.
• ASDM—unchecking the Use Botnet data dynamically downloaded from updater server check
box in the Configuration > Firewall > Botnet Traffic Filter > Botnet Database > Dynamic
Database Configuration area.
Note To filter on the domain names in the dynamic database, you need to enable DNS packet inspection with
Botnet Traffic Filter snooping; the ASA looks inside the DNS packets for the domain name and
associated IP address.
• Adult—These are sources associated with adult networks/services offering web hosting for adult
content, advertising, content aggregation, registration & billing, and age verification. These may be
tied to distribution of adware, spyware, and dialers.
• Bot and Threat Networks—These are rogue systems that control infected computers. They are either
systems hosted on threat networks or systems that are part of the botnet itself.
About the DNS Reverse Lookup Cache and DNS Host Cache
When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup
cache. If you use the static database, entries are added to the DNS host cache (see About the Static
Database, page 4 about using the static database with DNS snooping and the DNS reverse lookup cache).
Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value
provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server
provides a larger TTL, it is truncated to 1 day maximum.
For the DNS reverse lookup cache, after an entry times out, the ASA renews the entry when an infected
host initiates a connection to a known address, and DNS snooping occurs.
For the DNS host cache, after an entry times out, the ASA periodically requests a refresh for the entry.
For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each.
The number of entries in the DNS reverse lookup cache varies per model.
Figure 1-1 How the Botnet Traffic Filter Works with the Dynamic Database
Security Appliance
DNS Dynamic
Reverse Database DNS Server
Lookup Cache
2a. Add
1a. Match?
Connection to:
Infected 3 Botnet Traffic
209.165.201.3
Host Filter
248631
3b. Send
Syslog Message/Drop Traffic Malware Home Site
Syslog Server 209.165.201.3
Figure 1-2 shows how the Botnet Traffic Filter works with the static database.
Figure 1-2 How the Botnet Traffic Filter Works with the Static Database
Security Appliance
Add entry:
DNS Static 1 bad.example.com
Host Cache Database
2a. Add DNS Server
3a. Match?
1a. DNS Request: DNS Reply:
Connection to: bad.example.com 2
3 209.165.201.3
209.165.201.3 Internet
3b. Send
248632
IPv6 Guidelines
Does not support IPv6.
Model Guidelines
The following ASA models support this feature:
• ASA 5505
• ASA 5510, 5520, 5540, 5550
• ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X
• ASA 5580
• ASA 5585-X
• ASASM
Procedure (CLI)
Step 1 Enable downloading of the dynamic database from the Cisco update server:
Example:
ciscoasa(config)# dynamic-filter updater-client enable
In multiple context mode, enter this command in the system execution space. If you do not have a
database already installed on the ASA, it downloads the database after approximately 2 minutes. The
update server determines how often the ASA polls the server for future updates, typically every hour.
Step 2 (Multiple context mode only) Change to the context so that you can configure use of the database on a
per-context basis:
changeto context context_name
Example:
ciscoasa# changeto context admin
ciscoasa/admin#
Example:
ciscoasa(config)# dynamic-filter use-database
Procedure (ASDM)
d. To redownload the database, re-check the Use Botnet data dynamically downloaded from
updater server check box.
e. Click Apply.
Note The Fetch Botnet Database button is for testing purposes only; it downloads and verifies the dynamic
database, but does not store it in running memory.
For information about the Search Dynamic Database area, see Search the Dynamic Database, page 18.
Examples
The following multiple mode example enables downloading of the dynamic database, and enables use
of the database in context1 and context2:
ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# changeto context context1
ciscoasa/context1(config)# dynamic-filter use-database
ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)# dynamic-filter use-database
The following single mode example enables downloading of the dynamic database, and enables use of
the database:
ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# dynamic-filter use-database
Procedure (CLI)
Example:
ciscoasa(config)# dynamic-filter blacklist
Step 2 Add to the blacklist. You can add up to 1000 blacklist entries.
• Add a name to the blacklist:
name domain_name
Example:
ciscoasa(config-llist)# name bad.example.com
You can enter this command multiple times for multiple entries.
• Add an IP address to the blacklist:
address ip_address mask
Example:
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.255
You can enter this command multiple times for multiple entries. The mask can be for a single host
or for a subnet.
Step 3 Edit the Botnet Traffic Filter whitelist:
dynamic-filter whitelist
Example:
ciscoasa(config)# dynamic-filter whitelist
Step 4 Add to the whitelist. You can add up to 1000 whitelist entries.
• Add a name to the whitelist:
name domain_name
Example:
ciscoasa(config-llist)# name good.example.com
You can enter this command multiple times for multiple entries.
• Add an IP address to the whitelist:
address ip_address mask
Example:
ciscoasa(config-llist)# address 10.1.1.2 255.255.255.255
You can enter this command multiple times for multiple entries. The mask can be for a single host
or for a subnet.
Procedure (ASDM)
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > Black or White List pane, click Add
for the Whitelist or Blacklist.
Step 2 In the Addresses field, enter one or more domain names, IP addresses, and IP address/netmasks.
Enter multiple entries separated by commas, spaces, lines, or semi-colons. You can enter up to 1000
entries for each type.
Step 3 Click OK.
Step 4 Click Apply.
Examples
The following example creates entries for the blacklist and whitelist:
ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# name bad1.example.com
ciscoasa(config-llist)# name bad2.example.com
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.0
ciscoasa(config-llist)# dynamic-filter whitelist
ciscoasa(config-llist)# name good.example.com
ciscoasa(config-llist)# name great.example.com
ciscoasa(config-llist)# name awesome.example.com
ciscoasa(config-llist)# address 10.1.1.2 255.255.255.255
Procedure (CLI)
Step 1 Create a class map to identify the traffic for which you want to inspect DNS:
class-map name
Example:
ciscoasa(config)# class-map dynamic-filter_snoop_class
Example:
ciscoasa(config-cmap)# match port udp eq domain
For example, you can specify an ACL for DNS traffic to and from certain addresses, or you can specify
all UDP DNS traffic.
Step 3 Add or edit a policy map so you can set the actions to take with the class map traffic:
policy-map name
Example:
ciscoasa(config)# policy-map dynamic-filter_snoop_policy
Example:
ciscoasa(config-pmap)# class dynamic-filter_snoop_class
Example:
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
To use the default DNS inspection policy map for the map_name, specify preset_dns_map for the map
name.
Step 6 Activate the policy map on an interface:
service-policy policymap_name interface interface_name
Example:
ciscoasa(config)# service-policy dynamic-filter_snoop_policy interface outside
The interface-specific policy overrides the global policy. You can only apply one policy map to each
interface.
Procedure (ASDM)
Step 1 Configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter. See the
configuration guide for the DNS inspection procedure. See the Before You Begin section for guidelines
on configuring DNS inspection.
Note You can also configure DNS snooping directly in the Configuration > Firewall > Service Policy Rules
> Rule Actions > Protocol Inspection > Select DNS Inspect Map dialog box by checking the Enable
Botnet traffic filter DNS snooping check box.
Step 2 Choose the Configuration > Firewall > Botnet Traffic Filter > DNS Snooping pane.
All existing service rules that include DNS inspection are listed in the table.
Step 3 For each rule for which you want to enable DNS snooping, in the DNS Snooping Enabled column,
check the check box.
Step 4 Click Apply.
Examples
The following recommended configuration creates a class map for all UDP DNS traffic, enables DNS
inspection and Botnet Traffic Filter snooping with the default DNS inspection policy map, and applies
it to the outside interface:
ciscoasa(config)# class-map dynamic-filter_snoop_class
ciscoasa(config-cmap)# match port udp eq domain
ciscoasa(config-cmap)# policy-map dynamic-filter_snoop_policy
ciscoasa(config-pmap)# class dynamic-filter_snoop_class
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside
Enable Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and
destination IP address in each initial connection packet to the following:
• Dynamic database IP addresses
• Static database IP addresses
• DNS reverse lookup cache (for dynamic database domain names)
• DNS host cache (for static database domain names)
When an address matches, the ASA sends a syslog message. The only additional action currently
available is to drop the connection.
Procedure (CLI)
Step 1 (Optional) Identify the traffic that you want to monitor or drop:
access-list access_list_name extended {deny | permit} protocol source_address mask
[operator port] dest_address mask
[operator port]
Example:
ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# access-list dynamic-filter_acl_subset extended permit tcp 10.1.1.0
255.255.255.0 any eq 80
If you do not create an ACL for monitoring, by default you monitor all traffic. You can optionally use
an ACL to identify a subset of monitored traffic that you want to drop; be sure the ACL is a subset of the
monitoring ACL. See the general operations configuration guide for more information about creating an
ACL.
Step 2 Enable the Botnet Traffic Filter; without any options, this command monitors all traffic:
dynamic-filter enable [interface name] [classify-list access_list]
Example:
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface using the
interface keyword.
You can optionally limit monitoring to specific traffic by using the classify-list keyword with an ACL.
You can enter this command one time for each interface and one time for the global policy (where you
do not specify the interface keyword). Each interface and global command can have an optional
classify-list keyword. Any interface-specific commands take precedence over the global command.
Step 3 (Optional) Automatically drop malware traffic:
dynamic-filter drop blacklist [interface name] [action-classify-list subset_access_list]
[threat-level {eq level | range min max}]
Example:
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list
dynamic-filter_acl_subset threat-level range moderate very-high
To manually drop traffic, see Block Botnet Traffic Manually, page 17.
Be sure to first configure a dynamic-filter enable command to monitor any traffic you also want to drop.
You can set an interface policy using the interface keyword, or a global policy (where you do not specify
the interface keyword). Any interface-specific commands take precedence over the global command.
You can enter this command multiple times for each interface and global policy.
The action-classify-list keyword limits the traffic dropped to a subset of monitored traffic. The dropped
traffic must always be equal to or a subset of the monitored traffic. For example, if you specify an ACL
for the dynamic-filter enable command, and you specify the action-classify-list for this command, then
it must be a subset of the dynamic-filter enable ACL.
Make sure you do not specify overlapping traffic in multiple commands for a given interface/global
policy. Because you cannot control the exact order that commands are matched, overlapping traffic
means you do not know which command will be matched. For example, do not specify both a command
that matches all traffic (without the action-classify-list keyword) as well as a command with the
action-classify-list keyword for a given interface. In this case, the traffic might never match the
command with the action-classify-list keyword. Similarly, if you specify multiple commands with the
action-classify-list keyword, make sure each ACL is unique, and that the networks do not overlap.
You can additionally limit the traffic dropped by setting the threat level. If you do not explicitly set a
threat level, the level used is threat-level range moderate very-high.
Note We highly recommend using the default setting unless you have strong reasons for changing the setting.
• very-high
Note Static blacklist entries are always designated with a Very High threat level.
Step 4 (Optional) If you configured the dynamic-filter drop blacklist command, then this command treats
greylisted traffic as blacklisted traffic for dropping purposes:
dynamic-filter ambiguous-is-black
If you do not enable this command, greylisted traffic will not be dropped. See Botnet Traffic Filter
Address Types, page 2 for more information about the greylist.
Procedure (ASDM)
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > Traffic Settings pane.
Step 2 To enable the Botnet Traffic Filter on specified traffic, perform the following steps:
a. In the Traffic Classification area, check the Traffic Classified check box for each interface on
which you want to enable the Botnet Traffic Filter.
You can configure a global classification that applies to all interfaces by checking the Traffic
Classified check box for Global (All Interfaces). If you configure an interface-specific
classification, the settings for that interface overrides the global setting.
b. For each interface, from the ACL Used drop-down list choose either --ALL TRAFFIC-- (the
default), or any ACL configured on the ASA.
For example, you might want to monitor all port 80 traffic on the outside interface.
To add or edit ACLs, click Manage ACL to bring up the ACL Manager. See the general operations
configuration guide for more information.
Step 3 (Optional) To treat greylisted traffic as blacklisted traffic for action purposes, in the Ambiguous Traffic
Handling area, check the Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic
check box.
If you do not enable this option, greylisted traffic will not be dropped if you configure a rule in the
Blacklisted Traffic Actions area. See Botnet Traffic Filter Address Types, page 2 for more information
about the greylist.
Step 4 (Optional) To automatically drop malware traffic, perform the following steps.
To manually drop traffic, see Block Botnet Traffic Manually, page 17.
a. In the Blacklisted Traffic Actions area, click Add.
The Add Blacklisted Traffic Action dialog box appears.
b. From the Interface drop-down list, choose the interface on which you want to drop traffic. Only
interfaces on which you enabled Botnet Traffic Filter traffic classification are available.
c. In the Threat Level area, choose one of the following options to drop traffic specific threat levels.
The default level is a range between Moderate and Very High.
Note We highly recommend using the default setting unless you have strong reasons for changing
the setting.
Note Static blacklist entries are always designated with a Very High threat level.
Note Be sure the ACL is a subset of the traffic you specified in the Traffic Classification area.
To add or edit ACLs, click Manage to bring up the ACL Manager. See general operations
configuration guide for more information.
e. Click OK.
You return to the Traffic Settings pane.
f. If you want to apply additional rules to a given interface, repeat steps a through e.
Make sure you do not specify overlapping traffic in multiple rules for a given interface. Because you
cannot control the exact order that rules are matched, overlapping traffic means you do not know
which command will be matched. For example, do not specify both a rule that matches --ALL
TRAFFIC-- as well as a command with and ACL for a given interface. In this case, the traffic might
never match the command with the ACL. Similarly, if you specify multiple commands with ACLs,
make sure each ACL is unique, and that the networks do not overlap.
Step 5 Click Apply.
Examples
The following recommended configuration monitors all traffic on the outside interface and drops all
traffic at a threat level of moderate or higher:
ciscoasa(config)# dynamic-filter enable interface outside
ciscoasa(config)# dynamic-filter drop blacklist interface outside
If you decide not to monitor all traffic, you can limit the traffic using an ACL. The following example
monitors only port 80 traffic on the outside interface, and drops traffic threat level very-high only:
ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside threat-level eq
very-high
For the following syslog messages, a reverse access rule can be automatically created from the Real
Time Log Viewer:
– 338001, 338002, 338003, 338004 (blacklist)
– 338201, 338202 (greylist)
Note If you create a reverse access rule form a Botnet Traffic Filter syslog message, and you do
not have any other access rules applied to the interface, then you might inadvertently block
all traffic. Normally, without an access rule, all traffic from a high security to a low security
interface is allowed. But when you apply an access rule, all traffic is denied except traffic
that you explicitly permit. Because the reverse access rule is a deny rule, be sure to edit the
resulting access policy for the interface to permit other traffic.
ACLs block all future connections. To block the current connection, if it is still active, enter
the clear conn command. For example, to clear only the connection listed in the syslog
message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See
the command reference for more information.
Shunning blocks all connections from the host, so you should use an ACL if you want to block
connections to certain destination addresses and ports. To shun a host, enter the following command
(for ASDM, use Tools > Command Line Interface). To drop the current connection as well as
blocking all future connections, enter the destination address, source port, destination port, and
optional protocol.
ciscoasa(config)# shun src_ip [dst_ip src_port dest_port [protocol]]
For example, to block future connections from 10.1.1.45, and also drop the current connection to the
malware site in the syslog message, enter:
ciscoasa(config)# shun 10.1.1.45 209.165.202.129 6798 80
After you resolve the infection, be sure to remove the ACL or the shun. To remove the shun, enter no
shun src_ip.
Procedure (CLI)
Example:
ciscoasa# dynamic-filter database find bad.example.com
The string can be the complete domain name or IP address, or you can enter part of the name or address,
with a minimum search string of 3 characters. If there are multiple matches, the first two matches are
shown. To refine your search for a more specific match, enter a longer string.
Note Regular expressions are not supported for the database search.
Procedure (ASDM)
Step 3 To clear the displayed matches and the search string, click Clear, or you can just enter a new string and
click Find Now to get a new display.
Examples
The following example searches on the string “example.com”, and finds 1 match:
ciscoasa# dynamic-filter database find bad.example.com
bad.example.com
Found 1 matches
The following example searches on the string “bad”, and finds more than 2 matches:
ciscoasa# dynamic-filter database find bad
bad.example.com
bad.example.net
Found more than 2 matches, enter a more specific string to find an exact
match
Shows the Top Botnet Traffic Filter Hits, which shows reports of the top 10 malware sites, ports, and
infected hosts. This report is a snapshot of the data, and may not match the top 10 items since the
statistics started to be collected. If you right-click an IP address, you can invoke the whois tool to
learn more about the botnet site.
– Top Malware Sites—Shows top malware sites.
– Top Malware Ports—Shows top malware ports.
– Top Infected Hosts—Shows the top infected hosts.
• show dynamic-filter statistics [interface name] [detail]
Monitoring > Botnet Traffic Filter > Statistics
Shows how many connections were classified as whitelist, blacklist, and greylist connections, and
how many connections were dropped. (The greylist includes addresses that are associated with
multiple domain names, but not all of these domain names are on the blacklist.) The detail option
shows how many packets at each threat level were classified or dropped.
To clear the statistics, enter the clear dynamic-filter statistics [interface name] command.
The following is sample output from the show dynamic-filter statistics command:
ciscoasa# show dynamic-filter statistics
Enabled on interface outside
Total conns classified 11, ingress 11, egress 0
Total whitelist classified 0, ingress 0, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Total blacklist classified 11, dropped 5, ingress 11, egress 0
Enabled on interface inside
Total conns classified 1182, ingress 1182, egress 0
Total whitelist classified 3, ingress 3, egress 0
Total greylist classified 0, dropped 0, ingress 0, egress 0
Total blacklist classified 1179, dropped 1000, ingress 1179, egress 0
Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009
The following is sample output from the show dynamic-filter reports top malware-ports
command:
Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009
The following is sample output from the show dynamic-filter reports top infected-hosts
command:
ciscoasa# show dynamic-filter reports top infected-hosts
Host Connections logged
----------------------------------------------------------------------
10.10.10.51(inside) 1190
10.12.10.10(inside) 10
10.10.11.10(inside) 5
Last clearing of the top infected-hosts report: at 13:41:06 UTC Jul 15 2009
The following recommended example configuration for multiple context mode enables the Botnet
Traffic Filter for two contexts:
Other Examples
The following sample configuration adds static entries are to the blacklist and to the whitelist. Then, it
monitors all port 80 traffic on the outside interface, and drops blacklisted traffic. It also treats greylist
addresses as blacklisted addresses.
dynamic-filter updater-client enable
changeto context context1
dynamic-filter use-database
class-map dynamic-filter_snoop_class
match port udp eq domain
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop
service-policy dynamic-filter_snoop_policy interface outside
dynamic-filter blacklist
name bad1.example.com
name bad2.example.com
address 10.1.1.1 255.255.255.0
dynamic-filter whitelist
name good.example.com
name great.example.com
name awesome.example.com
address 10.1.1.2 255.255.255.255
access-list dynamic-filter_acl extended permit tcp any any eq 80
dynamic-filter enable interface outside classify-list dynamic-filter_acl
dynamic-filter drop blacklist interface outside
dynamic-filter ambiguous-is-black
changeto context context2
dynamic-filter use-database
class-map dynamic-filter_snoop_class
match port udp eq domain
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns preset_dns_map dynamic-filter-snoop
service-policy dynamic-filter_snoop_policy interface outside
dynamic-filter blacklist
name bad1.example.com
name bad2.example.com
address 10.1.1.1 255.255.255.0
dynamic-filter whitelist
name good.example.com
name great.example.com
name awesome.example.com
address 10.1.1.2 255.255.255.255
access-list dynamic-filter_acl extended permit tcp any any eq 80
dynamic-filter enable interface outside classify-list dynamic-filter_acl
dynamic-filter drop blacklist interface outside
dynamic-filter ambiguous-is-black